Cyber security: the next consulting blockbuster

When does a big consulting service become a blockbuster?

The simple answer is that it’s when it ticks four boxes:

• It resonates with a widely-recognised issue in society: ‘just’ being a business concern is never enough to fuel exceptionally high levels of growth.
• It is a new issue: philosophers may tell us that there’s nothing really new under the sun, but corporate memory is short and each new generation of executives experiences something for the first time.
• It is supported by proof that something can be done: a helpless clients spends nothing.
• It will generate a large volume of consulting work, otherwise the incentive for consulting firms to invest in promoting the idea isn’t sufficiently great.

There are plenty of consulting services out there which haven’t (yet) delivered on their promised growth because they tick only three of these boxes. Environmental issues may chime with societal concerns, and may be new in the sense that the extent and likely impact of climate change is new; it may also be possible to point to organisations that have succeeded in reducing their environmental impact quite successfully. But none of these have translated into the type of multimillion dollar projects consulting firms need to see evidence of, if they’re going to invest in this area on a significant and sustained basis.

The annals of consulting are, of course, packed with not-quite-blockbusters, but it does look as though we have a genuine one on our hands today: cyber security. With every successive news item about a company that’s seen its customer data hacked, public concern grows. It’s a new battle for executives to fight, and one in which no one can afford to relax or cut corners. And it’s big business for consulting firms, some of whom have seen their cyber practices triple in size in the last year alone. “There’s no limit to how much we’ll spend on this,” one worried CIO told us. And unusually for even a blockbuster service, it’s hard to imagine that the end will ever be in sight: criminals kept out by a new lock on the door are simply going to find a new way in. The price of cyber security will be eternal vigilance.

However, we also know from looking at past blockbusters that the early proselytisers aren’t always the biggest beneficiaries. Frustratingly for those who’ve poured their hearts, souls, and millions of dollars into stimulating the interest in demand, the firms that follow in their footsteps often end up overtaking them if we look at revenue earned. Why this is tells us, I think, something quite profound about the nature of consulting. Most money isn’t (if we’re brutally honest) at the innovative, cutting edge of any new service, partly because many clients don’t want the risks associated with early adoption, and partly because at the outset it’s not clear what the consulting service is, to buyer or supplier. The firms that make the most money are those that take the initial work and convert it into something clients can understand and they (the supplier) can deliver.

So the real race behind the cyber security opportunity isn’t about who gets there first, it’s about who’ll work out what ‘there’ will be for the long-term. They’ll define the market, not discover it.